Keeping antivirus software protection current on all company-owned computing devices has become an essential business practice. That's not a simple endeavor.
ThirdCertainty recently sat down with Andy Hayter, security evangelist at antivirus vendor G Data Software, to discuss the intricacies of managing antivirus solutions effectively, particularly in small and mid-sized companies. (Answers edited for clarity and length.)
3C: With hackers updating their virus signatures almost minute-to-minute, why do companies still need antivirus protection?
Hayter: One of the myths out there today is that antivirus is dead. But the good news is that antivirus software today isn't just signature-based. It includes heuristic technology that looks at the characteristics of a piece of software executing on your computer.
So in many cases, even though a particular piece of malware may not necessarily have been identified through a signature, it can easily be identified through the heuristics.
Security & Privacy Weekly News Roundup: Stay informed of key patterns and trends
3C: As a business owner or manager, if I'm implementing my antivirus solution on my own, what should I know?
Andy Hayter, G Data Software security evangelist
Hayter: Having a management interface is important, so that you can manage all devices and deploy the antivirus software out to all your devices and keep it maintained and updated. Your vendor should offer training to your key personnel.
It's important for them to understand how to manage threats, and understand what's going on in your network environment from a malicious software perspective.
3C: Is relying on my IT department to take charge of security wise?
Hayter: Most small and mid-sized companies are going to look at the IT department to do this. They are not large enough to have a separate security function. The CEO and CFO still must fully understand the impact malware can have.
3C: What about outsourcing security?
Hayter: Many smaller companies don't have the time or resources to get someone up to speed and trained, or even multiple people trained, because this is a 24-hour type of situation. So more companies are looking at managed security Service (MSS) providers to take this on for them. This entails a solution that a third party manages remotely through a remote management console.
So it depends on whether the business has the time and the money to train people or wants to outsource this to a professional whose business is security. Either way, you still need to train your IT staff so they know the fundamentals of security and can protect the business in an emergency.
3C: So I can't just outsource and wash my hands of security?
Hayter: No. You cannot wash your hands of security. Your managed security service provider is there for you, but you still have to understand the basics. You still have to perform the training. And you still are the person on site to talk to your employees about situations that might occur at 8:30 in the morning when they log on their PC and get a strange e-mail.
3C: Establishing a security mind-set for my company is a day-to-day thing?
Hayter: Right. If you do outsource your security, you cannot just forget about it and pray that it's done completely. You still need to train your employees and help them understand that bad things can happen to them.